In Firefox, we currently use "eval-script" as part of the options directive:
https://wiki.mozilla.org/Security/CSP/Specification#Directives
But we will be changing that soon to match the CSP 1.0 specification.
~Tanvi
On 7/19/12 10:54 AM, Eric Chen wrote:
> Hi John:
>
> On Thu, Jul 19, 2012 at 10:45 AM, John J Barton
> <johnjbarton@johnjbarton.com <mailto:johnjbarton@johnjbarton.com>> wrote:
>
> Hi. I was looking into converting my application to use CSP when I
> learned that neither eval nor new Function() are allowed. I have a
> large application that uses these features to compile JS at
> runtime. I am wondering what alternatives are available.
>
>
> You can use 'unsafe-eval' to allow eval
>
>
> --
> -Eric
>